kubernetes1.20 部署 traefik2.3

一、概述

Traefik 是一个开源的可以使服务发布变得轻松有趣的边缘路由器。它负责接收你系统的请求，然后使用合适的组件来对这些请求进行处理。

除了众多的功能之外，Traefik 的与众不同之处还在于它会自动发现适合你服务的配置。当 Traefik 在检查你的服务时，会找到服务的相关信息并找到合适的服务来满足对应的请求。

Traefik 兼容所有主流的集群技术，比如 Kubernetes，Docker，Docker Swarm，AWS，Mesos，Marathon，等等；并且可以同时处理多种方式。（甚至可以用于在裸机上运行的比较旧的软件。）

有了Traefik，就不需要维护和同步一个单独的配置文件：一切都会自动、实时地发生（没有重新启动，没有连接中断）。使用Traefik，您可以花时间在系统中开发和部署新特性，而不是配置和维护其工作状态。

二、概念

Edge Router

Traefik 是一个边缘路由器，是你整个平台的大门，拦截并路由每个传入的请求：它知道所有的逻辑和规则，这些规则确定哪些服务处理哪些请求；传统的反向代理需要一个配置文件，其中包含路由到你服务的所有可能路由，而 Traefik 会实时检测服务并自动更新路由规则，可以自动服务发现。

Auto Service Discovery

传统的边缘路由器（或反向代理）需要一个包含到服务的每个可能路由的配置文件，Traefik从服务本身获取它们。

在部署您的服务时，您需要附加一些信息，告诉Traefik服务可以处理的请求的特征。

这意味着在部署服务时，Traefik会立即检测到它并实时更新路由规则。反之亦然：当您从基础设施中删除服务时，路由将相应地消失。

您不再需要创建和同步混杂着IP地址或其他规则的配置文件。

核心概念

• Providers 用来自动发现平台上的服务，可以是编排工具、容器引擎或者 key-value 存储等，比如 Docker、Kubernetes、File
• Entrypoints 监听传入的流量（端口等…），是网络入口点，它们定义了接收请求的端口（HTTP 或者 TCP）。
• Routers 分析请求（host, path, headers, SSL, …），负责将传入请求连接到可以处理这些请求的服务上去。
• Services 将请求转发给你的应用（load balancing, …），负责配置如何获取最终将处理传入请求的实际服务。
• Middlewares 中间件，用来修改请求或者根据请求来做出一些判断（authentication, rate limiting, headers, …），中间件被附件到路由上，是一种在请求发送到你的服务之前（或者在服务的响应发送到客户端之前）调整请求的一种方法。

三、安装

由于 Traefik 2.X 版本和之前的 1.X 版本不兼容，而且1.X 已经停止更新了。这里选择功能更加强大的 2.X 版本来和大家进行讲解，使用的镜像是 traefik:2.3.7。

创建 traefik-crd.yaml 文件

在 traefik v2.1 版本后，开始使用 CRD（Custom Resource Definition）来完成路由配置等，所以需要提前创建 CRD 资源。

## IngressRoute
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
---
## IngressRouteTCP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
---
## Middleware
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
---
## TraefikService
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
---
## TraefikTLSStore
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsstores.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSStore
    plural: tlsstores
    singular: tlsstore
---
## IngressRouteUDP
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressrouteudps.traefik.containo.us
spec:
  scope: Namespaced
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteUDP
    plural: ingressrouteudps
    singular: ingressrouteudp

# 部署 CRD 资源
# kubectl create -f traefik-crd.yaml
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/ingressroutes.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressroutetcps.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/middlewares.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsoptions.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/traefikservices.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/tlsstores.traefik.containo.us created
customresourcedefinition.apiextensions.k8s.io/ingressrouteudps.traefik.containo.us created

创建rbac权限

Kubernetes 在 1.6 以后的版本中引入了基于角色的访问控制（RBAC）策略，方便对 Kubernetes 资源和 API 进行细粒度控制。Traefik 需要一定的权限，所以这里提前创建好 Traefik ServiceAccount 并分配一定的权限。

# cat traefik-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: kube-system

# 部署 Traefik RBAC 资源
# kubectl create -f traefik-rbac.yaml
serviceaccount/traefik-ingress-controller created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created

另一种写法：

apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: kube-system
  name: traefik-ingress-controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups: [""]
    resources: ["services","endpoints","secrets"]
    verbs: ["get","list","watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses","networking.k8s.io"]
    verbs: ["get","list","watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses/status"]
    verbs: ["update"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["middlewares"]
    verbs: ["get","list","watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["ingressroutes","traefikservices"]
    verbs: ["get","list","watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["ingressroutetcps","ingressrouteudps"]
    verbs: ["get","list","watch"]
  - apiGroups: ["traefik.containo.us"]
    resources: ["tlsoptions","tlsstores"]
    verbs: ["get","list","watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: kube-system

创建 Traefik 配置文件

在 Traefik 中的配置可以使用两种不同的方式：

• 动态配置：完全动态的路由配置
• 静态配置：启动配置

静态配置中的元素（这些元素不会经常更改）连接到 providers 并定义 Treafik 将要监听的 entrypoints。

在 Traefik 中有三种方式定义静态配置：在配置文件中、在命令行参数中、通过环境变量传递

动态配置包含定义系统如何处理请求的所有配置内容，这些配置是可以改变的，而且是无缝热更新的，没有任何请求中断或连接损耗。

由于 Traefik 配置很多，使用 CLI 定义操作过于繁琐，尽量使用将其配置选项放到配置文件中，然后存入 ConfigMap，将其挂入 traefik 中。

# cat traefik-config.yaml
kind: ConfigMap
apiVersion: v1
metadata:
  name: traefik-config
  namespace: kube-system
data:
  traefik.yaml: |-
    serversTransport:
      insecureSkipVerify: true  ## Traefik 忽略验证代理服务的 TLS 证书
    api:
      insecure: true            ## 允许 HTTP 方式访问 API
      dashboard: true           ## 启用 Dashboard
      debug: true               ## 启用 Debug 调试模式
    metrics:
      prometheus: metrics       ## 配置 Prometheus 监控指标数据，并使用默认配置
    entryPoints:
      web:
        address: ":80"          ## 配置 80 端口，并设置入口名称为 web
      websecure:
        address: ":443"         ## 配置 443 端口，并设置入口名称为 websecure
      traefik:
        address: ":8090"        ## 配置 8090 端口，并设置入口名称为 dashboard
      metrics:
        address: ":8082"        ## 配置 8082 端口，作为metrics收集入口
      tcpep:
        address: ":8000"        ## 配置 8000 端口，作为tcp入口
      udpep:
        address: ":9000/udp"    ## 配置 9000 端口，作为udp入口
    providers:
      kubernetescrd:            ## 启用 Kubernetes CRD 方式来配置路由规则
        ingressclass: traefik-v2.3
      kubernetesingress:        ## 启动 Kubernetes Ingress 方式来配置路由规则
        ingressclass: traefik-v2.3
    log:
      filePath: "/etc/traefik/logs/traefik.log"              ## 设置调试日志文件存储路径，如果为空则输出到控制台
      level: error              ## 设置调试日志级别
      format: json                ## 设置调试日志格式
    accessLog:
      filePath: "/etc/traefik/logs/access.log"              ## 设置访问日志文件存储路径，如果为空则输出到控制台
      format: json                ## 设置访问调试日志格式
      bufferingSize: 0          ## 设置访问日志缓存行数
      filters:
        #statusCodes: ["200"]   ## 设置只保留指定状态码范围内的访问日志
        retryAttempts: true     ## 设置代理访问重试失败时，保留访问日志
        minDuration: 20         ## 设置保留请求时间超过指定持续时间的访问日志
      fields:                   ## 设置访问日志中的字段是否保留（keep 保留、drop 不保留）
        defaultMode: keep       ## 设置默认保留访问日志字段
        names:                  ## 针对访问日志特别字段特别配置保留模式
          ClientUsername: drop
        headers:                ## 设置 Header 中字段是否保留
          defaultMode: keep     ## 设置默认保留 Header 中字段
          names:                ## 针对 Header 中特别字段特别配置保留模式
            User-Agent: redact
            Authorization: drop
            Content-Type: keep

# 部署 Traefik ConfigMap 资源
# kubectl create -f traefik-config.yaml
configmap/traefik-config created

部署 Traefik

提前给节点设置Label，当程序部署Pod会自动调度到设置 Label的node节点上。

# kubectl label nodes develop-master-1 IngressProxy=traefik2.3
node/develop-master-1 labeled
# kubectl label nodes develop-worker-1 IngressProxy=traefik2.3
node/develop-worker-1 labeled
# kubectl label nodes develop-worker-2 IngressProxy=traefik2.3
node/develop-worker-2 labeled
# 验证节点标签是否成功
# kubectl get node --show-labels
NAME               STATUS   ROLES                              AGE   VERSION   LABELS
develop-master-1   Ready    control-plane,etcd,master,worker   98d   v1.20.4   IngressProxy=traefik2.3,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=develop-master-1,kubernetes.io/os=linux,node-role.kubernetes.io/control-plane=,node-role.kubernetes.io/etcd=,node-role.kubernetes.io/master=,node-role.kubernetes.io/worker=
develop-worker-1   Ready    worker                             98d   v1.20.4   IngressProxy=traefik2.3,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=develop-worker-1,kubernetes.io/os=linux,node-role.kubernetes.io/worker=
develop-worker-2   Ready    worker                             98d   v1.20.4   IngressProxy=traefik2.3,beta.kubernetes.io/arch=amd64,beta.kubernetes.io/os=linux,kubernetes.io/arch=amd64,kubernetes.io/hostname=develop-worker-2,kubernetes.io/os=linux,node-role.kubernetes.io/worker=,worker=worker2
# 节点删除Label标签
# kubectl label nodes develop-master-1 IngressProxy-
# kubectl label nodes develop-worker-1 IngressProxy-
# kubectl label nodes develop-worker-2 IngressProxy-

# cat traefik-deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-v2
  namespace: kube-system
  labels:
    app: traefik-v2
spec:
  replicas: 2
  selector:
    matchLabels:
      app: traefik-v2
  template:
    metadata:
      labels:
        app: traefik-v2
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 1
      containers:
        - name: traefik-v2
          image: traefik:v2.3
          args:
            - --configfile=/config/traefik.yaml
          ports:
            - name: web
              containerPort: 80
              hostPort: 80           #hostPort方式，将端口暴露到集群节点
            - name: websecure
              containerPort: 443
              hostPort: 443          #hostPort方式，将端口暴露到集群节点
            - name: admin
              containerPort: 8090
            - name: tcpep
              containerPort: 8000
            - name: udpep
              containerPort: 9000
          resources:
            limits:
              cpu: 500m
              memory: 1024Mi
            requests:
              cpu: 300m
              memory: 1024Mi
          securityContext:
            capabilities:              ## 只开放网络权限
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
          volumeMounts:
          - mountPath: "/config"
            name: "config"
          - mountPath: /etc/traefik/logs
            name: logdir
          - mountPath: /etc/localtime
            name: timezone
            readOnly: true
      volumes:
        - name: config
          configMap:
            name: traefik-config
        - name: logdir
          hostPath:
            path: /data/traefik/logs
            type: "DirectoryOrCreate"
        - name: timezone
          hostPath:
            path: /etc/localtime
            type: File
      tolerations:
        - operator: "Exists"        ## 设置容忍所有污点，防止节点被设置污点
      hostNetwork: true             ## 开启host网络，提高网络入口的网络性能
      nodeSelector:                 ## 设置node筛选器，在特定label的节点上启动
        IngressProxy: "traefik2.3"
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-v2
  namespace: kube-system
spec:
  type: LoadBalancer
  selector:
    app: traefik-v2
  ports:
    - protocol: TCP
      port: 80
      name: web
      targetPort: 80
    - protocol: TCP
      port: 443
      name: websecure
      targetPort: 443
    - protocol: TCP
      port: 8090
      name: admin
      targetPort: 8090
    - protocol: TCP
      port: 8000
      name: tcpep
      targetPort: 8000
---
apiVersion: v1
kind: Service
metadata:
  name: traefikudp-v2
  namespace: kube-system
spec:
  type: LoadBalancer
  selector:
    app: traefik-v2
  ports:
    - protocol: UDP
      port: 9000
      name: udpep
      targetPort: 9000

使用Deployment类型部署，以便于在多服务器间扩展，使用 hostport 方式占用服务器 80、443 端口，方便流量进入。

# 部署 Traefik
# kubectl create -f traefik-deploy.yaml
deployment.apps/traefik-v2 created
service/traefik-v2 created
service/traefikudp-v2 created

到此 Traefik v2.3 应用已经部署完成。

这时候就可以通过节点http://IP:8090,可以看到dashboard相关信息

四、路由配置

1、配置 HTTP 路由规则 （Traefik Dashboard 为例）

Traefik 应用已经部署完成，但是想让外部访问 Kubernetes 内部服务，还需要配置路由规则，这里开启了 Traefik Dashboard 配置，所以首先配置 Traefik Dashboard 看板的路由规则，使外部能够访问 Traefik Dashboard。

创建 Traefik Dashboard 路由规则文件 traefik-dashboard-route.yaml

因为静态配置文件指定了ingressclass，所以这里的annotations 要指定，否则访问会404

# cat traefik-dashboard-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik-v2.3
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`www.traefiktest.com`)
    kind: Rule
    services:
    - name: api@internal
      kind: TraefikService

# 部署Traefik Dashboard 路由规则对象
# kubectl create -f traefik-dashboard-route.yaml
ingressroute.traefik.containo.us/traefik-dashboard created

客户端通过域名访问服务，必须要进行 DNS 解析，可以通过 DNS 服务器进行域名解析，也可以修改 hosts 文件将 Traefik 指定节点的 IP 和自定义 host 绑定

# cat hosts
192.168.2.163 www.traefiktest.com

打开任意浏览器输入地址：http://www.traefiktest.com进行访问，打开 Traefik Dashboard.

此处没有配置验证登录，如果想配置验证登录，使用middleware即可。

2、配置 HTTP 路由规则

Traefik 已经部署完成，但是想让外部访问 Kubernetes 内部服务，还需要配置路由规则，这里用whoami 举例。

# 首先创建whoami 的 deployment
# cat whoami.yaml
## 创建一个http应用
apiVersion: apps/v1
kind: Deployment
metadata:
  name: whoami
  namespace: default
  labels:
    app: traefiklabs
    name: whoami
spec:
  replicas: 2
  selector:
    matchLabels:
      app: traefiklabs
      task: whoami
  template:
    metadata:
      labels:
        app: traefiklabs
        task: whoami
    spec:
      containers:
        - name: whoami
          image: traefik/whoami
          ports:
            - containerPort: 80
---
## http应用的service
apiVersion: v1
kind: Service
metadata:
  name: whoami
  namespace: default
spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: whoami
---
## 创建一个tcp应用
kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoamitcp
  namespace: default
  labels:
    app: traefiklabs
    name: whoamitcp
spec:
  replicas: 2
  selector:
    matchLabels:
      app: traefiklabs
      task: whoamitcp
  template:
    metadata:
      labels:
        app: traefiklabs
        task: whoamitcp
    spec:
      containers:
        - name: whoamitcp
          image: traefik/whoamitcp
          ports:
            - containerPort: 8080
---
## tcp应用的service
apiVersion: v1
kind: Service
metadata:
  name: whoamitcp
  namespace: default
spec:
  ports:
    - protocol: TCP
      port: 8080
  selector:
    app: traefiklabs
    task: whoamitcp
---
## 创建一个ucp应用
kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoamiudp
  namespace: default
  labels:
    app: traefiklabs
    name: whoamiudp
spec:
  replicas: 2
  selector:
    matchLabels:
      app: traefiklabs
      task: whoamiudp
  template:
    metadata:
      labels:
        app: traefiklabs
        task: whoamiudp
    spec:
      containers:
        - name: whoamiudp
          image: traefik/whoamiudp:latest
          ports:
            - containerPort: 8080
---
## ucp应用的service
apiVersion: v1
kind: Service
metadata:
  name: whoamiudp
  namespace: default
spec:
  ports:
    - port: 8080
  selector:
    app: traefiklabs
    task: whoamiudp

# kubectl create -f whoami.yaml
deployment.apps/whoami created
service/whoami created
deployment.apps/whoamitcp created
service/whoamitcp created
deployment.apps/whoamiudp created
service/whoamiudp created

# 创建 whoami 路由规则文件 whoami-ingreoute.yaml
# cat whoami-ingreoute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: myingressroute
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik-v2.3
spec:
  entryPoints:
    - web # 跟ConfigMap中的保持一致
  routes:
  - match: Host(`whoami.foxchan.com`) && PathPrefix(`/`)
    kind: Rule
    services:
    - name: whoami
      port: 80

# kubectl create -f whoami-ingreoute.yaml
ingressroute.traefik.containo.us/myingressroute created

主机hosts文件添加如下解析

192.168.2.163 whoami.foxchan.com

查看效果,可以看到是同一个浏览器访问的是同一个pod ，这个跟下面使用kuboard来创建traefik ingressroute，同一个浏览器不停刷新访问不同的pod

问题

1.通过上述使用yaml文件创建的traefik ingressroute,可以访问使用，通过kuboard界面上也能查看到，不过位置是在集群管理-自定义资源-traefik.containo.us中

2.yaml文件部署的traefik ingressroute，访问是的时候指定pod了，但是通过kuboard界面部署的traefik ingressroute，访问的时候pod 来回变换

使用建议

应用部署到service后就可以了，然后使用kuboard来创建traefik ingressroute，记得设置annotations

  annotations:
    kubernetes.io/ingress.class: traefik-v2.3

3、配置 HTTPS 路由规则

用 HTTPS 来访问我们这个应用的话，就需要监听 websecure 这个入口点，也就是通过 443 端口来访问，同样用 HTTPS 访问应用必然就需要证书，用 openssl 来创建一个自签名的证书：

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=whoami.foxchan.com"
Generating a 2048 bit RSA private key
...................................+++
...........................................+++
writing new private key to 'tls.key'
-----
# ll
-rw-r--r-- 1 root root 1119 7月   8 15:55 tls.crt
-rw-r--r-- 1 root root 1704 7月   8 15:55 tls.key

通过 Secret 对象来引用证书文件

# 要注意证书文件名称必须是 tls.crt 和 tls.key
# kubectl create secret tls who-tls --cert=tls.crt --key=tls.key
secret/who-tls created

# 另一种方式
kubectl create secret generic who-tls --from-file=tls.crt --from-file=tls.key -n default

创建一个 HTTPS 访问应用的 IngressRoute 对象：

# cat whoami-ingreoute-tls.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls
  annotations:
    kubernetes.io/ingress.class: traefik-v2.3
spec:
  entryPoints:
    - websecure # 跟ConfigMap中的保持一致
  routes:
  - match: Host(`whoami.foxchan.com`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    secretName: who-tls

# kubectl create -f whoami-ingreoute-tls.yaml
ingressroute.traefik.containo.us/ingressroutetls created

使用建议

应用部署到service后就可以了，然后使用kuboard创建secret，然后来创建traefik ingressroute，记得设置annotations

  annotations:
    kubernetes.io/ingress.class: traefik-v2.3

4、配置 TCP 路由规则

# cat whoami-tcp.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroutetcpwho
  annotations:
    kubernetes.io/ingress.class: traefik-v2.3
spec:
  entryPoints:
    - tcpep # 跟ConfigMap中的保持一致
  routes:
  - match: HostSNI(`*`)
    services:
    - name: whoamitcp
      port: 8080

5、配置udp路由规则

# whoami-udp.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: ingressrouteudpwho
  annotations:
    kubernetes.io/ingress.class: traefik-v2.3
spec:
  entryPoints:
    - udpep # 跟ConfigMap中的保持一致
  routes:
  - services:
    - name: whoamiudp
      port: 8080

五、中间件

中间件是 Traefik2.0 中一个非常有特色的功能，可以根据自己的各种需求去选择不同的中间件来满足服务，Traefik 官方已经内置了许多不同功能的中间件，其中一些可以修改请求，头信息，一些负责重定向，一些添加身份验证等等，而且中间件还可以通过链式组合的方式来适用各种情况。

白名单举例

设置dashboard只能白名单的ip可以访问

# 创建白名单中间件
# cat middleware-ipwhitelist.yaml

# 然后将这个中间件附加到 dashboard的服务上面去
# cat traefik-dashboard-route.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik-v2.3
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`whoami.foxchan.com`)
    kind: Rule
    services:
    - name: api@internal
      kind: TraefikService
    middlewares:       #这里添加中间件的名字
      - name: gs-ipwhitelist

这个时候我们再去访问dashboard，不在白名单的就会报403

六、路由配置（高级）

在开始traefik的高级用法之前，还需要了解一个TraefikService，通过把TraefikService注册到CRD来实现更复杂的请求设置。

TraefikService 目前能用于以下功能

• servers load balancing.（负载均衡）
• services Weighted Round Robin load balancing.（权重轮询）
• services mirroring.（镜像）

1、负载均衡

# 创建k8s service
# cat svc-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: default
spec:
  ports:
    - name: http
      port: 80
  selector:
    app: v1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: default
spec:
  ports:
    - name: http
      port: 80
  selector:
    app: v2

# 创建IngressRoute
# cat svc-service-ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutelb
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`whoami.foxchan.com`)
    kind: Rule
    services:
    - name: svc1
      namespace: default
    - name: svc2
      namespace: default

2、权重轮询

# 创建TraefikService
# cat wrr-service.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: wrr
  namespace: default
spec:
  weighted:
    services:
      - name: svc1
        port: 80
        weight: 3          # 定义权重
        kind: Service      # 可选，默认就是 Service
      - name: svc2
        port: 80
        weight: 1

# 创建IngressRoute
# 需要注意的是现在我们配置的 Service 不再是直接的 Kubernetes 对象了，而是上面我们定义的 TraefikService 对象
# cat wrr-service-ingressout.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutewrr
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`who.foxchan.com`)
    kind: Rule
    services:
    - name: wrr
      namespace: default
      kind: TraefikService

3、镜像

1.流量复制到k8s 的service

# Mirroring from a k8s Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: mirror-k8s
  namespace: default
spec:
  mirroring:
    name: svc1       # 发送 100% 的请求到 K8S 的 Service "v1"
    port: 80
    mirrors:
      - name: svc2   # 然后复制 20% 的请求到 v2
        port: 80
        percent: 20

2.流量从Traefik Service 导入

# Mirroring from a Traefik Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: mirror-ts
  namespace: default
spec:
  mirroring:
    name: mirror-k8s          #流量入口从TraefikService 来
    kind: TraefikService
     mirrors:
       - name: svc2
         port: 80
         percent: 20

3.创建IngressRoute

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroute-mirror
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`who.foxchan.com`)
    kind: Rule
    services:
    - name: mirror-k8s
      namespace: default
      kind: TraefikService

yaml文件下载地址

https://files.cnblogs.com/files/sanduzxcvbnm/yaml文件.zip

traefik镜像版本升级

文档中使用的traefik镜像是traefik:v2.3，若是升级到traefik:v2.5,启动后则会报错如下：

E0708 17:33:27.478347    1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.20.2/tools/cache/reflector.go:167: Failed to watch *v1alpha1.MiddlewareTCP: failed to list *v1alpha1.MiddlewareTCP: middlewaretcps.traefik.containo.us is forbidden: User "system:serviceaccount:kube-system:traefik-ingress-controller" cannot list resource "middlewaretcps" in API group "traefik.containo.us" at the cluster scope

v2.3启动后日志显示

v2.5启动后日志显示

看来若是升级的话，得改yaml文件中的内容才行

参考资料：

https://blog.51cto.com/foxhound/2545116?source=dra

https://www.cnblogs.com/heian99/p/14608414.html

https://blog.51cto.com/u_13760351/2764008